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Abstract 

Measurements on entangled quantum systems necessarily yield outcomes that are intrin- 
sically unpredictable if they violate a Bell inequality. This property can be used to generate 
certified randomness in a device- independent way, i.e., without making detailed assumptions 
about the internal working of the quantum devices used to generate the random numbers. 
Furthermore these numbers are also private, i.e., they appear random not only to the user, 
but also to any adversary that might possess a perfect description of the devices. Since this 
process requires a small initial random seed to sample the behaviour of the quantum devices 
and to extract uniform randomness from the raw outputs of the devices, one usually speaks 
of device-independent randomness expansion. 

The purpose of this paper is twofold. First, we point out that in most real, practical 
situations, where the concept of device- independence is used as a protection against uninten- 
tional flaws or failures of the quantum apparatuses, it is sufficient to show that the generated 
string is random with respect to an adversary that holds only classical-side information, i.e., 
proving randomness against quantum-side information is not necessary. Furthermore, the 
initial random seed does not need to private with respect to the adversary, provided that it 
is generated in a way that is independent from the measured systems. The devices, though, 
will generate cryptographically-secure randomness that cannot be predicted by the adver- 
sary and thus one can, given access to free public randomness, talk about private randomness 
generation. 

The theoretical tools to quantify the generated randomness according to these crite- 
ria where already introduced in S. Pironio et al, Nature 4^4) 1021 (2010), but the final 
results where improperly formulated. The second aim of this paper is to correct this in- 
accurate formulation and therefore lay out a precise theoretical framework for practical 
device-independent randomness generation. 

1 Introduction 

Random numbers are essential for many applications such as computer simulations, statistical 
sampling, gambling, or video games. They are particularly important for classical and quantum 
cryptography, where the use of a flawed random number generator (RNG) can completely 
compromise the security. Many solutions have thus been proposed for the generation of random 
numbers (for recent on random number generation see, e.g.,[Tl El [3l [U O El [7]), but none is 
entirely satisfactory. As quoted from Wikipedia [S], every random number generator (RNG) is 
subject to the following problems: 

"It is very easy to misconstruct hardware or software devices which attempt to 
generate random numbers. Also, most 'break' silently, often producing decreasingly 
random numbers as they degrade. A physical example might be the rapidly de- 
creasing radioactivity of the smoke detectors [. . .]. Failure modes in such devices are 
plentiful and are complicated, slow, and hard to detect. 
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Because many entropy sources are often quite fragile, and fail silently, statistical 
tests on their output should be performed continuously. Many, but not all, such 
devices include some such tests into the software that reads the device. 

Just as with other components of a cryptosystem, a software random number 
generator should be designed to resist certain attacks. Defending against these 
attacks is difficult. 

[On estimating entropy]. There are mathematical techniques for estimating the 
entropy of a sequence of symbols. None are so reliable that their estimates can 
be fully relied upon; there are always assumptions which may be very difficult to 
confirm. These are useful for determining if there is enough entropy in a seed pool, 
for example, but they cannot, in general, distinguish between a true random source 
and a pseudo-random generator. 

[On performance test]. Hardware random number generators should be con- 
stantly monitored for proper operation. Unfortunately, with currently available 
(and foreseen) tests, passing such tests is not enough to be sure the output sequences 
are random. A carefully chosen design, verification that the manufactured device 
implements that design and continuous physical security to insure against tampering 
may all be needed in addition to testing for high value uses." 

Device-independent randomness generation aims to address these problems by exploiting 
the intrinsic unpredictability associated with the violation of Bell inequalities [9l \T0\ [TT] . More 
precisely, consider a quantum system composed of two separated parts A and B which upon 
receiving respective inputs V"" and V^, return respective outputs X"" and X^. If after n successive 
uses of the devices, the observed data violates a Bell inequality, it is then possible to certify that 
the output string {Xf,X^), . . . , {X!^,X^) contains a certain amount of min-entropy, even when 
conditioned on the value of the inputs {Vf, Vi), . . . , (V^, V^), and a randomness extractor can 
therefore be applied to the outputs to obtain almost-uniform random bits. Furthermore, this 
conclusion can be reached independently of any detailed assumptions about the inner working 
of the devices and is thus immune to most of the problems mentioned above. 

That the violation of Bell inequalities is an indicator of quantum randomness had probably 
been recognized early on by many physicists, but was made explicit only recently in [1U\ [TT\ \n\ . 
Not surprisingly, it was suggested shortly thereafter that Bell inequality violating systems could 
be exploited for randomness generation, and a scheme based on GHZ states was proposed in 
|13j . The possibility of device-independent randomness generation, however, was established 
only in |14j . where a method to bound the min-entropy of the devices' output as a function 
of the observed Bell violation was introduced. Furthermore, a proof-of-principle experimental 
demonstration was realised using two trapped ions. 

The concept of device-independence (DI) is not restricted to randomness generation but 
includes adversarial applications such as quantum key distribution (QKD) [151 US El 113 HB] 
and coin tossing [19], and non-adversarial ones such as state estimation [20], entanglement 
witnesses [21] , and self-testing of quantum computers [22] . In adversarial applications of device- 
independence it is often remarked that since the correctness of the protocol can be verified 
without making assumptions about the inner working of the devices, these could even have been 
prepared by the adversary itself. This has at least two implications as regards the theoretical 
analysis of device-independent randomness generation (and has also various implications for its 
experimental implementation, some of which will be briefly discussed later on). 

First, if the adversary is allowed to prepare the quantum devices, nothing prevents him 
to entangle them with a quantum state that he keeps for himself in a quantum memory. It 
is then a priori possible that if he sees part of the devices' output at some later stage, he 
could measure his quantum state in a way that would give him useful information about the 
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remainder of the output string. One thus needs to show that the output produced by the 
device also appear random with respect to the quantum-side information held by the adversary. 
The methods introduced in [T3], however, have been shown so far to estimate randomness only 
against classical-side information, i.e., against adversaries who do not share entanglement with 
the quantum devices. 

Second, if the adversary happens to have some prior knowledge of the inputs used to sample 
the devices, he could exploit it to program the devices in a way that would mimick the viola- 
tion of a Bell inequality while at the same time giving him substantial information about the 
generated outputs. A random, private seed is thus necessary to select the inputs and start off 
the protocol. In addition, one also need some initial randomness to extract uniform random 
bits from the devices' outputs. One thus often speaks of device-independent randomness expan- 
sion (DIRE). A scheme achieving quadratic expansion was presented in |14j . where it was also 
suggested to use more than one pair of devices to obtain greater (e.g., exponential) expansion. 

In this paper, we do not investigate this extremal adversarial scenario where the quantum 
devices have been acquired from a malicious provider. We are instead interested in the more 
real-life and practical situation where the manufacturer of the device is assumed to be honest, 
but where the concept of device-independence is used to provide an accurate estimation of the 
amount of randomness generated independently of noise, limited control of the apparatuses, 
or unintentional flaws of the devices. We point out in Section 2 that in this context it is 
sufficient to prove security against classical-information. Furthermore, the initial seed used to 
sample the devices and perform the randomness extraction does not necessarily need to be 
private with respect to the adversary (it simply needs to be chosen in a way that is independent 
from the state of the devices). The output of the protocol, though, will represent a private 
random string. In this case one can thus talk about private randomness generation, given 
access to public randomness. (In the following, we will keep using the single terminology 
"device-independent randomness expansion" to refer to the two situations in which the initial 
randomness is considered to be private or is viewed as a free, public resource). 

In Section 3, we then analyse the security of DIRE from this perspective. In particular, 
subsection 3.2. contains a detailed presentation of the model that we consider and of the 
assumptions on which it is based. Our main results are presented in subsection 3.3., where we 
show how to estimate the randomness produced in a Bell experiment if those assumptions are 
satisfied. Our analysis relies essentially on the tools introduced in |14 l . but importantly it fixes 
an issue that led to an improper formulation of the final results of [14)^1 . A very similar analysis 
has been presented in the independent work [23]. We briefiy discuss how these results directly 
imply the security of various DIRE schemes in subsection 3.4. 

Finally, we point out that a randomness-expansion scheme with superpolynomial expansion 
and proven to be secure against quantum side information was recently introduced in |24j . 
This protocol, however, requires an almost perfect violation of the CHSH inequality, while our 
results and those of |23j are generic and holds for arbitrary Bell inequalities and any amount of 
violatiorll. 

2 Honest vs dishonest device suppliers and DIRE 

The security of device-independent cryptographic protocols is based on a rather limited sets 
of assumptions, e.g., that the devices obey quantum theory, that separated devices can be 

^Specifically, the problem lies with Eq. (3) and Eq. (A. 9) of the Supplementary Information of [ij and with 
the final steps leading to these equations. 

^Note that previous versions of these results (see [25] and [26]) claimed security against quantum side infor- 
mation, but both proofs were incorrect. 
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prevented to communicate with one other, that the users of the device have access to a private 
source of randomness, and so on. Provided that these basic assumptions are satisfied, the 
security follows independently of implementation details such as the precise quantum states 
and measurement operators used, or the dimension of the Hilbert space in which they are 
defined. It is often stressed that security could thus in particular be guaranteed if the devices 
had been provided or sabotaged by the adversary itself. This possibility is fascinating from 
a conceptual point of view and deserves to be investigated for its own sake. However, it has 
probably little (if no) practical relevance, as has already been pointed out (see e.g., [27]). 

One reason is that while it is in principle possible to enforce the assumptions required for the 
security of a DI cryptography scheme based on malicious devices, in practice this may involve 
incredible technological and physical resources. For instance, how can we practically guarantee 
that the devices do not covertly leak out sensitive information to the adversary [T3] ? How can we 
guarantee that they do not contain sneaky transmitters? In principle communications through 
electromagnetic waves can be screened, but what about communications based on neutrinos or 
gravitational waves? When a "door" is opened to let a particle enter in a device, how can we 
efficiently prevent other particles to come out of the device? 

More generally, any practical cryptographic implementation, classical, quantum, or device- 
independent, will include and make use of classical computing and communicating devices to 
process, store, and transmit data. These classical devices, which are probably easier to corrupt 
than their quantum counter-parts, cannot be guaranteed secure if they have been acquired from 
dishonest providers. One should therefore either acquire these classical devices from trusted 
suppliers or inspect them for malicious behaviour. But then why apply a different standard to 
the quantum devices? 

The real problem, to which the concept of device-independence offers a potential solution, 
is that even if the quantum devices have been obtained from honest suppliers or thoroughly 
inspected, many things can still unintentionally go wrong. Indeed, in standard (i.e., device- 
dependent) quantum cryptography, conclusions about the randomness or the secrecy of the 
outputs crucially depends on the physical properties of the generation process, for example, on 
the fact that the outputs where produced by measuring the polarization of a single photon along 
well-defined directions. But then, how can one assess the level of security provided by a real-life 
implementation of a standard quantum cryptography protocol, which will inevitably differ in 
undetermined ways from the idealized, theoretical description [28]? Consider for instance that 
the reported attacks [29\ \3U\ [3T] on commercial QKD systems did not exploit any intentional, 
maliciouss flaws in the devices. 

This problem is particularly acute in the case of (classical or quantum) RNG devices, as 
it is very difficult even for honest parties to construct reliable RNGs and monitor them for 
proper operation. The generation of randomness in a device-independent way solves many of 
the shortcomings of usual RNGs listed earlier, since it makes possible an accurate estimation of 
the amount of randomness generated independently of noise, imperfections, lack of knowledge, 
or limited control of the apparatuses. 

The use of device-independence, even in a trusted provider situation, has the advantage over 
a full device-dependent approach that it requires only the verification of a limited number of 
precisely defined assumptions, on which the manufacturer of the device can focus. Furthermore, 
these assumptions can be much more easily enforced or verified with respect to the situation 
where the devices come from a dishonest provider, as one does not need to fight against devices 
that have been maliciously programmeqj [H]. For instance, in the experiment reported in 
[14] no particular measures have been taken to screen-off one device from the other. However, 

^Note in particular that it is highly unlikely that the attack reported in [31] would spontaneously occur in 
non-malicious devices. 
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the experiments involve two atoms that are confined in two independent vacuum chambers 
separated by about 1 meter. At this distance, direct interaction between the atoms is neghgible 
and classical microwave and optical fields used to perform measurements on one atom have no 
infiuence on the other atom. Based on this superficial description of the setup, one can safely 
assume that the two quantum systems are independent and that no imperfections, failures, 
or implementation weaknesses would lead to direct interaction between the devices (though 
imperfections could lead to other potential problems that can be ruled out by the DI approach), 
and thus that the general formalism used to derive a bound on the randomness applies. 

In the case of DIRE, assuming that the devices originate from a honest provider has not only 
experimental implications, but also theoretical ones. The first one is that, while the adversary 
may possess an arbitrarily accurate classical description of the internal working of the devices 
at any given moment of time, it is highly unlikely that he could possess any quantum system 
that is entangled with those inside the devices if he did not manufacture or tamper with them. 
This means that proving that the output are random with respect to classical-side information 
is sufficient. 

The second implication is that the adversary cannot program the devices to exploit any 
prior knowledge about the initial randomness used to choose the inputs. The inputs must 
still be selected in a way that is independent from the internal functioning of the devices, 
but this condition can be satisfied without having recourse to cryptographically-secure random 
number generators. For instance, in the experiment reported in [T3], the measurement settings 
were chosen by combining through a XOR function several public random number generators 
that use randomness derived from radioactive decay [33], atmospheric noise [33], and remote 
computer and network activity [3S]- While a dishonest manufacturer aware of this procedure 
could have exploited it in the design of the set-up, it is highly unlikely that the state of the 
ions in the experiment of [U] was in any way correlated to the choice of measurement bases. If 
this condition is satisfied, it is justified, however, to conclude that the outputs of the devices do 
represent new, private random bits. 

Remark that the two above implications are specific to DIRE but would not hold for most 
DI cryptographic protocols. This is due to the fact that DIRE is a single user protocol com- 
pletely carried out in a single secure lab and which therefore does not allow for the possibility 
of interactive attacks by the adversary. In contrast, DIQKD, for instance, usually involves the 
sending of quantum information between Alice and Bob's devices. This quantum information 
can be intercepted by the adversary and entangled with his own quantum system. Furthermore 
any knowledge of the random numbers used in the protocol could be exploited by the adver- 
sary to improve the efficiency of this interaction. Even if the devices are completely trusted, 
it is therefore still the case that the security of QKD must be based on a proof that holds 
against quantum-side information and that the random numbers used in the protocol must be 
cryptographically secure. 

In the following section we analyse DIRE from the perspective discussed above, and show 
in particular how to prove the security of a DIRE protocol against classical side-information. 

3 DIRE against classical side-information 

We start by recalling some definitions and results that will be used in the following. We refer 
to [HI ESI EZ] for more details. 
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3.1 Preliminaries 



Random variables. Let i? be a random variable over the finite set TZ and Pr[R = r] = PR{r) 
the probability that it takes the value r. (In the following, we use upper-case letters to denote 
random variable and lower-case letter to denote specific values taken by these variables). The 
closeness between two distributions Pr and Qr can be quantified through the trace distance 

d(PH,Q.) = ^5]|Pij(r)-Qij(r)|. (1) 

r 

For simplicity, we will write P{r) for the probabilities ^^(r), when there is no risk of confusion. 
Let be a random variable representing some classical side-information about the variable R, 
and let the correlations between R and E be described by a joint distribution Fr[R = r, E = e] = 
Pre (fe-) . We say that R is 5-random with respect to E if it is 5-close to a uniform distribution 
uncorrelated to E, that is if 

d{PRE, UrxQe) = ^Y.\ PRE{re) - UR{r) xQE{e)\<5 (2) 

r,e 

for some distribution Qe^ where UR{r) = 1/\TZ\ is the uniform probability distribution on TZ. 

Min-entropy. The randomness of R with respect to E can be quantified through the 
conditional min-entropy 

H^UR\E)p = - log2 V PE{e) max PR\Eir\e) . (3) 

The conditional min-entropy ([3]) is sometimes called the average conditional min-entropy to 
distinguish it from the worst-case conditional min-entropy defined by 

Hmm{R\E)p = - log2 max PRiE{r\e) . (4) 

The worst-case min-entropy is a lower-bound on the average min-entropy: H^[^(R\E)p > 
HmmiR\E)p. Note that when there is no side-information E, both entropies reduce to the usual 
definition H^in{R)p = — log2 max^eT^ -PR(r) for the classical min-entropy of a distribution Pr. 

Randomness extractors. Given a n-bit string R with a certain conditional min-entropy 
k one can extract from it, using a randomness extractor and a small uniform seed S , a new 
m-bit random string that is almost uniformly random. More formally, a function Ext : {0, 1}" x 
{0, 1}*^ — > {0, 1}™" is a (m, k, (^)-strong extractor with uniform seed if for all distributions Pre 
with H^ia{R\E)p > k, and for a uniform seed S € {0, l}'^, we hav^ 

d{PExt{R,S)SEj 

U^xPsxPe)<6, (5) 

where Um is the uniform distribution on {0, 1}™. There exist different construction for ran- 
domness extractors, characterized by different relations between the parameters n, m, d, k, S. In 
particular, for any k and 5, there exist extractors with output length m = k — 4 log 1/5 — 0(1) 
and seed length d = 0{log'^{n/5) logm) [37] . 

Randomness and Bell experiments. In [2], it was shown that there exists a fundamen- 
tal, quantitative relation between the violation of Bell inequalities and the randomness produced 
in Bell experiments. We consider here for simplicity Bell experiments performed on two distinct 
systems A and B, although our results generalize to more parties. We denote V = V'') the 

*Note that the definition of (classical) extractors does not usually involve side-information, but the definition 
given here and the conventional one can be shown to be essentially equivalent [38j . 
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measurement choices for systems A and B and assume that they each take vahies in a finite set 
V. We denote the measurement outputs X = (X", X*) and assume that they each take values in 
the finite set X. To any given input = v"", we can associate a set of measurement operators 
{MA{x"'\v"-)}x''ex such that J2x'^ M^^{x"-\v"-)Ma{x°'\v"') = I a, where I a is the identity operator 
on the Hilbert space T-La of system A. Similarly a set of measurement operators Mb{x^\v^) 
can be associated to any given input = . The probability to obtain the pair of outputs 
X = (x", x^) given the pair of inputs v = {v°-, v^) when measuring a joint state pab G 'Ha ^T-Lb 
can then be written 

P{x\v) = tr \Ma{x''\v'') Mb{x^\v^) Pab m\{x''\v'') ® m]^{x^\v^)\ . (6) 

A Bell expression / is defined by a series of coefficients which associate to a conditional 
probability distribution P = {P{x\v)} the Bell expectation I[P\ = Ylivx^™-^i^\'^)- denote 
by Iq the maximal quantum Bell expectation, i.e., Iq = maxp /[P], where the maximum is taken 
over all distributions of the form ([6]) . 

In [13] (see also [32] it is shown that there exists a fundamental relation between the 
randomness of the distribution P and the Bell expectation I[P]. More precisely, it is shown 
how using the semidefinite programming hierarchy introduced in [301 H], one can compute for 
each V a bound of the form 

maxP(x|u) < 5(/[P]) , (7) 

X 

which is valid for any state pab and measurement operators Ma{x°'\v°'), Mb{x^\v^) such that ([6]) 
holds. Here g' is a function that is concave (if not, we take its concave hull) and monotonically 
decreasing, taking values between 1 and 1/\X\'^. In particular, it is thus also logarithmically 
concave. The above bound can be rewritten as HYa\n{X\V = v)p > f{I[P\) where Hyam{X\V = 
v)p = — log2 maxj; P(x|f ) is the min-entropy of X for given f, and f{I[P]) = — log2 ^(/[-P]). 
From now on we refer to g (or / = — log2 g) as a randomness bound associated to /. 



3.2 Modelling of the devices and basic assumptions 

We consider a single pair of Bell violating devices A and B (though the results below can 
be directly generalized to a multipartite setting), in which, the user Alice can respectively 
introduce inputs V = {V^^V^) (the "measurement settings") and obtains output X = {X°'^X^) 
(the "measurement outcomes"). The quantum apparatuses are used n times in succession for 
varying choices of the inputs. In full generality, the behaviour of the devices can be characterized 
by 

• an initial state pab G 'Ha '^'Hb'-, 

• a set Mab = {^'Iab{x\v)} of measurement operators on Ha^'Hb, which have the product 
form 

Mab{x\v) = Ma(x'^|w") Mb{x^\v^) , (8) 
and which define the measurements applied on the state of the devices for given input 

• a joint unitary operation U G T-La ®'Hb, which is applied on the post-measurement state 
of the devices after each measurement and which represents the possibility for the devices 
to communicate between successive measurements (e.g., to establish new entanglement). 

Note that to simplify the notation, we did not explicitly introduce a dependence of Mab{x\v) 
or U on the measurement round i or on the inputs and outputs obtained in previous steps, i.e.. 
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MABix\v) and U are identical at each use of the devices. The above formulation is nevertheless 
completely general and can account for the possibility that the behaviour of the devices varies 
from one round to another and makes use of an internal memory. Indeed, the measurement 
operators Mab{x\v) and the operation U can encode the value of the inputs v and the output 
X obtained in a given run in the post measurement state of the devices and "read" back this 
information in the next step to perform an operation conditional on the previous history. The 
only restrictive hypothesis that we make is that the measurement operators have the product 
form ([8]). Physically, this means that the systems A and B do not communicate with each other 
during the measurement itself. 

We assume that the behaviour of the devices, characterized by the initial state pab, the 
set of measurement operators Mab, and the joint operation U, is perfectly known to the 
adversary. Note that the behaviour of the devices might depend on some external random 
parameters known or controlled by the adversary. For instance, the quality of the components 
used to produce the devices might vary in a way known to the adversary or he might control 
some parameters (such as temperature or changes in the voltage of the power supply) that can 
influence the output of the devices. This can be taken into account by assuming that the devices 
and the adversary's information are in a joint state 

PABE = P{e.)p\B ® |e>(e| , (9) 

e 

where pab = ^e-P(^)PAB ^ represents the knowledge that the adversary has on the state 
of the devices. We refer in the following to {pabe, -^aBtUab) as the device behaviour. Our 
assumption of classical side-information lies in the fact that the devices and the adversary are 
only classically correlated. In general, i.e., in the case of quantum side-information, the state 
PABE could be completely arbitrary. 

As we said, the devices will be used n times in succession. Let V = {Vi,...,Vn) = 
{Vi, . . . , V^, Vjl) denote the sequence of inputs employed in n such successive uses and let 
P(v) denote the probability of a particular sequence V = v. We assume that the choice of 
inputs is independent of the device behaviour, i.e., that the inputs V, the pair of devices AB, 
and the adversary's information E can initially be characterized by the cgc-state 

Pv®/3ABi? = ^^'(v)P(e)|v)(v| (S> PAB^\e){e\. (10) 

v,e 

After the n uses of the devices, one obtains a sequence X = {Xf, Xl X^,X^) of output 
pairs. The resulting situation, and the correlations between the inputs V, outputs X, and the 
adversary's information E, can then be characterized by the joint distribution 

P(vxe) = P(v)P(e)P(x|v, e) , (11) 

where 
P(x|v, e) = tr 



n (Uab MA{x^\vt) Mb{x'M)) Pab fl (^^(xflO ® Ml,{x'i\vl)u],^ 



.i=l i=l 



(12) 

represents the response of the devices to given inputs v for a given value of the adversary's 
information e. 

In the following, we show how the level of Bell violation which is observed after n repetitions 
of the experiment implies a bound on the min-entropy of the output string X conditioned on 
the input string V and the adversary's information E. This bound depends only on the product 
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assumption ([5]) characterizing the two devices, on the independence assumption PU]) between 
the choice of inputs and the state of the devices, and imphcitly on the condition ([9|) that the 
adversary's side-information is classical. Apart from these three assumptions, our results do 
not depend on any specific details of the device behaviour (pabe,-M.ab, Uab)- 



3.3 Bounding the min-entropy 

Suppose that the sequence of inputs V = {Vi^ V^, . . . ,V^, V^) is generated by choosing each 
pair of inputs (V^", V/) independently with probability Pr = v^Vl' = w\ = pyyj, with q = 
miny^w Pvw > 0. Let / be a Bell expression / adapted to the input and output alphabet of the 
quantum devices. We then introduce the following Bell estimator 



I " 

II ^— ' 



(13) 
where 



E 



x{X- = x,X^ = y,V- = v,V^ = w) 

xyvw P""" 

Here, x(e) is the indicator function for the event e, that is, x(e) = 1 if the event e is observed, 
x(e) = otherwise. The series of coefficients Cxyvw in (fH]l define the Bell expression /. We 
assume that they satisfy c = maxx^y^v,w Cxyvw < oo. 

Let {Jm : < m < mmax} be a series of Bell violation thresholds, with Jq corresponding 
to the local bound of the Bell expression and Jmax = Iq to the maximum violation allowed by 
quantum theory. We are going to put a bound on the min-entropy of the string X conditioned 
on the fact that the observed Bell average value / is comprised within some interval^ ^ 
I < Jm+i- We denote P{m) the probability that the experiment returns a Bell average value 
comprised between < I < Jm+i and H^[^(X.\\' E , m) p the min-entropy of X conditioned 
on V and E given that a specific value m has been obtained. The case m = corresponds to 
the situation where no substantial Bell violations is observed and no randomness is produced. 

Theorem 1. Suppose that the sequence of inputs V = (yf',Vi,...,V^,Vj^) is generated by 
choosing each pair of inputs (K", Vj') independently with probability Pr [V°' = v, = w] = p^w, 
with q = min^^^p^u, > 0. Let e, e' > be two arbitrary parameters. Then for any device 
behaviour {pabe,Mab, U), the resulting distribution P = {P(vxe)} characterizing n successive 
use of the devices is e-close to a distribution Q such that 

1. either Q{m) < e' , 

2. or iJrnm(X| V£', m)Q > nf{Jm - /u) - log2 p- , 

where f is a randomness bound associated to the Bell expression I and 



This results tell us that the classical distribution P characterizing the outputs X of the 
devices and their correlations with the inputs V and the adversary's information E is essentially 
indistinguishable from a distribution Q such that if the observed violation lies within the interval 
Jm ^ I < Jm+i with non-negligible probability, then we have the guarantee that the outputs 
contain a certain amount of entropy, roughly given by nf{Jm) up to epsilonic corrections (remark 



^This is the novel ingredient that fixes the issue in [14) . 
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the term — log2 1/e' in the bound on the min-entropy H^i^(X.\\'E,m)Q which was missing in 
|14j). Note that the fact that the trace distance cannot increase under classical-processing 
operations guarantees that any claim about the string X (or any subsequent use thereof) which 
is based on the properties of the distribution Q will also hold for the distribution P up to a 
correction e (see subsection 3.4 for more details). 

Proof of Theorem 1. In the following, we write Vj = [vfjVi . . . ,vf,vf) for the collection of 
input pairs up to round i, and similarly for Xj. We denote E(/j|xj„i, Vj_i, e) the expectation 
of the random variable li defined in ()14p conditioned on (xj_i, Vj_i, e), where the expectation 
is taken with respect to the probability distribution P. The following Lemma puts a bound on 
the probabilities P(x|v,e). 



IS some 



Lemma 1. Lei = {(x, v, e) | - X]i=i IE(/j|xj_i, Vi_i, e) > /(x, v) - where € 
real parameter. Then for any (x, v, e) G G^, 

P(x|v,e) < r7"(/(x,v)-^). (16) 

Proof. Using successively Bayes's rule and (fT2]) . we can write 

n n 

P(x|v,e) = JJP(xi|fi,Xj_i, v,e) = JJ P(xi|ui, Xi_i, Vi_i, e) . (17) 

i=l 1=1 

The second equality simply expresses the fact that the outputs at round i are determined only 
by the inputs at round i and by the past inputs and outputs, but not by future inputs. Note 
furthermore that we can write 

P{xi\vi,Xi^i,Vi_i,e) = P{xi,x''i\vi,Vi,Xi_i,Vi_i,e) 

= tT[MA{xt\v1) Mnix'llv',) pTb-"^'-' M],{x^\vf) Mi{x^\v1)] , 

(18) 

where /0^^'"^'^'~^ denotes the state of the devices conditioned on previous inputs and outputs. 
Applying the randomness bound ([7]) to the probability distribution -Pxi_i,vi_i,e = {P{xi\vi, Xj_i, 
implies that P(xj|fi, Xj_i, Vj_i, e) < 5(/[Pxi_i,vi_i,e])- Using the fact that P{vf = v,v\ = 
i(;|xi_i, Vi_i, e) = Pvw which follows from (fTU|) and the fact that each pair of inputs {Vf'jV^^) is 
generated independently with probability Pr [V"" = v,V^ = w] = p^u,, it is easily verified that 
-^[^x,_i,v,_i,e] = X]xj/i>u.Cx3/Du.-P(a;y|t''w,Xi_i,Vi_i,e) = E(/i|xi_i, Vi_i,e). We therefore have 

n \ ^ 

P(x|v,e) <]^5(E(/,|xi„i,Vi_i,e)) <5"(-X]^(^^l^*-i'Vi-i'e)) (^9) 

i=l i=l 

where we used that g is logarithmically concave in the second inequality. Using the definition 
of and the fact that g is monotonically decreasing , we get (fT6]) . □ 

Lemma 2. For any e > 0, let 



Then 

Pr[G^]= nx,v,e)>l-e. (21) 

{x,v,e)6G^ 
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Proof. Consider the list of random variables Zo, . . . , Zn, where Zq = and 

k 

Zk = Y,ih-Wk\Wk-i)) (22) 

i=l 

for A: > 1, where Wk-i = (Xfc„i, Vfc„i, £') and Wq = E. Since \Ik\ < c/q with c < oo and g > 0, 
we have that \Zk\ < 2kc/q < oo is bounded for all k. Moreover, the differences \Zk+i — Zk\ 
are bounded by \Zk+i - Zk\ = - E(4+i|Wfc)| < |4+i| + |E(4+i|Wfc)| < c/q + Iq, where 
we used (fTO|) and the fact that each pair of inputs {V"", V^) is generated independently with 
probability Pr = v,Vf' = w] = p^w Finally, it is easily verified that E(Zfc+i|Wfc) = Z^ 
for all < k < n — 1. The variables Zq, . . . , Zn thus form a martingale with respect to (the 
filtration induced by) Wq, . . . , Wn-i- We can therefore apply Azuma-Hoeffding inequality jl2] . 
which yields 



Pr [Zn -Zo> nfi] = Pr 



1 " " / ^ \ 

-T.nm,-.)<I-,^ <exp(^^;^^) (23) 

which gives the desired claim given the definition of G^. □ 

So far, we have (implicitly) considered the random variable sequence X as taking value in 
the output space Af" = X x . . . x X . We now formally extend its range and view it as an element 
of Af"U _L (with P(x|ve) = if x =_L. We can interpret _L as an "abort-output" produced by 
the devices implying that no violation has been obtained (i.e. m = if x =-L). 

Lemma 3. There exists a probability distribution Q = {Q{x, v, e)} that is e-close to P satisfying 

Q(x|v,e) <9"(/(x,v)-/.). (24) 
for all (x, V, e) such that x with fj, given by Ii20\). 



Proof. Define Q as (5(x, v,e) = i-'(v)P(e)Q(x|v, e), where (5(x|v, e) = P(x|v,e) if (x, v,e) G 
G^, Q(x|v,e) = if X /_L and (x, v, e) ^ G^, and Q{± |v,e) = 1 - Y^^-^q -P(x|v, e). By 
Lemma [H the distribution Q satisfies ()24p for all (x, v,e) such that x 7^_L. Application of 
Lemma [2] gives d{P,Q) = i Ex,v,e v, e) - Q(x, v, e)| = ^ Ev,e ^(v, e) Ex I^W^, e) - 
Q(x| V, e)| = ^(Ex,v,e^G,. V, e) + 1 - Ex,v,e6G, ^(^^ V, e)) < e. □ 

Let Q{m) be the probability (according to the distribution Q) that Jm ^ I < Jm+i- Let 
Q(x, V, e|m) denote the distribution of X,V, conditioned on a particular value of m and let 

i/nim(X| Vi?, m)Q = - log2 <3(v, elm) max (5(x|v, e, m) (25) 

^— ' X 

v,e 

be the min-entropy of the raw string X conditioned on (V, E) for a given m. Let = 
{x I X 7^_L and < /(x, v) < Jm+i}- By Lemma [3] and the fact that the g is monotically 
decreasing, we have 

max(3(x|v, e, m) = — - — ; rmaxQ(x|v,e) (26) 

X ' ' (5(m|v,e) x6X„ 

g"(Jm - ^) , „^ 

- g(m|v,e) ■ ^ ' 
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Inserting this back in (j'25|) gives 



H^,,^{X\VE,m)Q > -log.y^^pp^g-iJ^-f^) (28) 

^-^ Q{7n\v, e) 

v,e ^ 11/ 
v,e ^ ' 

= n/( - /^) - log2 , (30) 

where we remind that / = — log2 5'. This immediately imphes Theorem 1. 



3.4 Application to DIRE protocols 

Theorem 1 can directly be applied to prove the security of various DIRE protocols. Formally, 
a randomness expansion protocol is a protocol that, starting from a d-bit uniform random seed 
S, generates a m-bit string R that is close to uniformly random and uncorrelated from any 
potential adversary. The length m of the output string is variable and determined during the 
run of the protocol. The protocol may also abort, in which case we set m = and i? = 0. We 
can assume that m is made public at the end of the protocol. 

The protocol will involve the use of Bell-violating devices and some classical processing on 
the outputs of the devices. For example a straightforward protocol directly based on the simple 
Bell experiment described so far is described below. But one could also consider more compli- 
cated protocols involving multiple pairs of Bell-violating devices, where this simple primitive is 
repeated or concatenated, see |251 126j. 

1. Input generation: Alice generates a sequence of input pairs V = {V^, V^, . . . , V^, Vj^) 
according to the (non-uniform) distribution specified in the statement of Theorem 1. This 
can be achieved starting from a uniform random seed Sjnp with a small error ejnp and 
small entropy loss (see |451 H6] and the Appendix) . 

2. Use of the devices: She introduces inputs Vf" and Vf' in the two devices and obtains 
outputs Xf and X'^. This step is repeated n times, resulting in the sequence of output 
pairs X=(Xf,X^...,X;^,X^). 

3. Estimation of the Bell expression: Alice computes the average Bell expression ()13p 
and determines the value of m such that Jm ^ I < Jm+i- If = 0, she aborts. 

4. Randomness extraction: Using a random seed Scxt, Alice applies a {m,km,£cxt)- 
randomness extractor to the raw string X with km = nf{Jm — fj) — log2 m-max — log2 p- 
and obtains a string R = Ext(X, Sext); which represents the output of the protocol. We 
can assume that m, V, and 5ext are made public. 



In the above description, we have of course implicitly assumed that the thresholds J^, the 
parameter e (which determine /i), e', and ecxt are chosen in such a way that they define a proper 
(m, fcmj ecxt)-i'andomness extractor for all values of m = 1, . . . , m^.^^. 

Let F = (V, Scxt) -£') denote the final side-information of the adversary. Following the 
definition of security in the context of quantum key distribution outlined in |43t I44j . we say 
that a protocol such as the one just presented is secure if, for any device behaviour and any m, 
the output R is uniformly random and independent from F. This means that the distribution 
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erizing the output R, the side-mformation F and the final length M of a perfectly 
secure protocol has the form 

PRFAli^f^) = PM{m) X PRF\M{rf\m) with PR^|A/(r/|m) = Urn{r) X Pf\M{f\m) (31) 

where Um is the uniform distribution on {0, 1}™. A real DIRE protocol is said to be escc-secure 
if it is 6scc"iiidistinguishable from a secure protocol, that is, if for any device behaviour, the joint 
distribution Prfm satisfies 

d(^i?,FM,P^^tf)<esec (32) 

for some distribution P^p^j^ of the form ()3ip . In particular, a DIRE protocol is egec-secure if, 
for any device behaviour, it outputs m-bit strings that are Jm-random with respect to E with 

^max 

m=l 

where mmax denotes the maximal output length. 

To show that the protocol defined above is secure according to this definition, suppose 
that at the end of Step 2, after the n uses of the devices, the correlations between outputs 
X, inputs V, and the adversary's prior information E are characterized by the probability 
distribution Qx.VE defined in the statement of Theorem 1. Then it is easy to show that the 
distribution Qrfm = QG(x,v,Scxt)-FM characterizing the final output of the protocol (where 
G is the classical processing describing the steps performed after the n uses of the devices) is 
(e' + eoxt)-close to a perfectly secure distribution Qrfm- Indeed, let M< be the values of m 
such that Q{m) < e'/mmax and M> those for which Q{m) > e'/fn-max- For all m € M>, the 
min-entropy i/niin(X| V£', m)^ can thus be bounded by 

i?nim(X| VE', m)Q > nf{Jm - m) - log2 rrimax - log2 ^ • (34) 

Applying a (m, km-, eext) -randomness extractor to the string X with km given by the right-hand 
side of ([M|) therefore yields a string that is 5m-close to a random string, with 5m < ^ext for 
m G M> and 5m ^ 1 for m G M<. On average, we thus have 

^^Q{m)5m< ^ Q{m)+ ^ Q{m)ecxt< ^ h ^ (5("^)ecxt < e' + Ccxt • (35) 

m m£M^ meM> meM< ^'^^ rn&My 

Since the actual distribution PxvE characterizing the output of the device is e-close to QxvE, 
it directly follows that it provides an (e + e' + eext)-secure realization of the protocol. Indeed, by 
the triangle inequality, and the fact that classical processing can only reduce the trace distance, 
we find d{PRFM,QRFM) < d{PRFM,QRFM) + d{QRFM,QRFM) < € + e' + eext- By the same 
argument, the protocol is (einp + e + e' + eext)-secure when errors inherent to the input generation 
are taken into account (see Appendix A for an analysis of the errors introduced at this stage). 

More generally, the security (in the context of classical side-information) of more complex 
protocols, such as those considered in [25l[26], where outputs of one pair of devices are used as 
inputs for another pair of devices can directly be proven from Theorem 1 and by keeping track 
of the error propagation. 

Efficiency 

While the protocol presented above produces new randomness, it also uses a source of initial 
randomness S = (S'inp, S'ext) to generate the inputs V and perform the final randomness extrac- 
tion. As a straightforward generalization of condition (|10p . the security of the protocol requires 
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this initial seed to be uniform and independent from the initial state of the devices, i.e., 

PSABE = W5 (g) PABE (36) 

where ojs denotes the uniform distribution on S. 

This condition is obviously satisfied if S represents the output of a genuine, cryptographically- 
secure random number generator. Of course, a device-independent randomness expansion pro- 
tocol is useful only if it produces more randomness at its output than is consumed at its input. It 
is shown in |14] how the protocol that we have presented above can achieve quadratic expansion 
by choosing appropriately the probabilities characterizing the input distribution. It can 
also be used as a primitive in more elaborate protocols where the output of one pair of devices 
are repeatedly used as input for another pair of devices. Such protocols can achieve exponential 
expansion, see |25j and particularly Section 5 of [26] for quantitative details (note that the ap- 
plication of our results, valid against classical-side information, to such concatenated protocols 
require not only that different pairs of devices be unentangled to the adversary to start with, 
but also between themselves. This assumption is again very reasonable in a trusted-provider 
situation) . 

Note, however, that to generate private randomness, a device-independent protocol does not 
necessarily need to consume any cryptographically-secure randomness to start with. Indeed, 
since we assumed in the security analysis that S was made public, the seed S does not need to 
be random with respect to the adversary, provided that condition ([36]) is satisfied, i.e., provided 
that the adversary cannot exploit any prior knowledge about S to influence the behaviour of the 
devices. If this is the case, which may be reasonable to assume in a trusted provider situatior[2|, 
the output of the protocol will nevertheless represent randomness that is private with respect 
to the adversary. 
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Appendix 

Here we prove that one can use a uniform distribution to efficiently sample with exponentially 
small error from an i.i.d. non-uniform distribution, see also |45t I46| . 

Theorem 2. Consider the finite alphabet K = ai,...,a|x|- Let Q be a probability distribution 
on K with m.m.aQ{a) = . Let o" = ai, 02, S be drawn i.i.d. according to Q. 
We denote the corresponding probability distribution on K"^ . Suppose that x G {0, l}*" 
is drawn from the uniform distribution uj on m bits. Then, for any < 7 < 1/3, one can 
construct a function f : {0, l}'" — t- K"^ such that the induced probability distribution on 
given by P{a'') = w (/"H"")) e close to Q", i.e., d{P,Q'^) = i |P(a") - P'{an)\ < e 
with m > nH{Q) + o{nH{Q)) and e < 3exp [— 2n-'^~'^'''] , where H{Q) = J2aQi^)^^Qi^) ^-^ 
Shannon entropy of Q . 

®Note though that even in a trusted provider situation, the condition p6|) may fail, if the adversary can modify 
the behaviour of the devices by controlhng external parameters like, e.g., the power supply of the devices. 
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Proof. The proof follows from Lemmas HI O E] below. Lemma H] shows that there is a probable 
subset of K"^ which occurs with high probability, and Lemma [5] computes the size of this probable 
subset. In Lemmas H] and [SJ we take parameter a = n^/^~'^. With this choice, from Lemma HI 
the error one makes is < 2 exp [— 2n^~'^'''] and from Lemma [5] the size of the probable subset is 
< 2"^W)+0("'"^). Finally Lemma [6] tells us how one can sample efficiently from a distribution 
of known size. We take the error parameter in Lemma [6] to be exp same 
as in Lemma H]) . The additional size penalty is negligible compared to the one coming from 
Lemma [SI This proves the result. □ 

Counting Typical sequences. Consider the alphabet K = ai, 0|//| . If a"- = ai,a2,...,a„ G 
is a word of length n we denote by N{a\x)= number of occurences of a G if in word a" 
(this is known as the type of the sequence). Let Q be a probability distribution on K. Let 
o" = ai,a2,...,a„ E K"^ be drawn i.i.d. according to Q. We denote the corresponding 
probability distribution on K^. 
For any a > define the set: 

Tg^ = |x G : Va G K \N{a\x) - nQ{a)\ < aV^^Q(a)} 
Lemma 4. fe^) > 1 - 2\K\ exp [-20^ min^ Q{a)] . 



Proof. Tq^ is the intersection of \K\ events, namely that for each a G K the mean of the i.i.d 
Bernouilli variables yi, defined by = 1 iff. ai = a and = iff . ai ^ a, has deviation from 
its expected value Q{a) by at most a^fn^ Q{a). By the Hoeffding bound, each of these events 
has probability > 1 — 2 exp [— 2a^Q(a)]. Hence the intersection of the events has probability 
> 1 - 2|Er| exp [-2a2mina (5(a)] . □ 



Lemma 5. \T^J < 2"^(Q)+2^l^l"v^. 
Proof Consider x G T^^. Then Q{x) = ElaeK <5(«)^^"'''^- Hence 

\-log2Q{x)-nH{Q)\ = \Y,-N{a\x)log2Q{a)-nH{Q)\ 

< - log2 Q{a) \Nia\x) - nQ{a)\ 

aeK 

< ^ -log2(3(a) ayjQ{a)^/n 

a&K 

= 2ay/n ^ - log2 VQ(a) \/Q{a) 

a&K 

e 

Therefore Q(x) > 2-"^^(Q)-2^l^l«v^, and 1 > ExgT" Qi^) > |T^^|2-"-f^(«)-2^l^l"v^ 
which proves the result. □ 

Sampling from arbitrary distributions. Suppose that x G {0, l}*" is drawn from the uniform 
distribution u. 

Consider the probability distribution P{z) on z G {0, l}'^. We want to use x to sample with 
high precision from P{z). That is, we define a function / : {0, 1}™ — t- {0, 1}^ : x — t- f{x) such 
that the induced probability distribution P'{z) = ui{f~^{x)) is close to P{z), as measured by 
the trace distance d{P,P') = ^ l-P(^) - P'iz)\- We have: 
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Lemma 6. For any e > 0, ifm > /c+log2 j we can construct a function f such that d{P, P') < e. 

Proof. We view any x G {0, 1}™ as a number in [0, 1] written in binary: x = "^^i Xi2~^. 

We define P'{z) € {0,1}™ as the largest binary number smaller than P{z). Therefore 
< P{z) - P'{z) < 2-"^. We have 1 - Ez^'(^) = Y^z^i^) " ^'(^) ^ 2-(™-'^). To have a 
normalised distribution we define an additional outcome _L with -P'(-L) = 1 — P'i^) . Using 
X E {0, 1}*" drawn from the uniform distribution ui, we can therefore sample from P'{z) thus 
defined with d{P,P') = ^EJ^(-z) - P'iz)\ + ^P'{±) < 2-("-'=). (The function / can be 

explicitly defined through f-\z) = |x : J2l'=o P'i^') P'i^')})- ^ 
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